Bug 96043 (CVE-2005-1920)

Summary: VUL-0: CVE-2005-1920: kate backup file permission leak
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: dmueller, mls, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1920: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-07-12 07:55:31 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.
I guess you got the patch via kde-packagers already?

Date: Tue, 12 Jul 2005 01:18:37 +0200
From: Dirk Mueller <mueller@kde.org>
To: kde-packager@kde.org
Cc: vendor-sec@lst.de, security@kde.org
Subject: [vendor-sec] [PRENOTIFICATION] Kate backup file permission leak

Hi, 

there is an older problem in kwrite/kate that somehow got lost in the 
handling.. see attached advisory and patch. 


-- 
Dirk//\

KDE Security Advisory: Kate backup file permission leak
Original Release Date: 2005-07-18
URL: http://www.kde.org/info/security/advisory-20050718-1.txt

0. References
	CVE CAN XXXXXXXX
        https://bugs.kde.org/show_bug.cgi?id=103331


1. Systems affected:

        All maintained versions of Kate and Kwrite as shipped with
        KDE up to including 3.4.0. KDE 3.4.1 and newer is not affected.


2. Overview:

	Kate / Kwrite create a file backup before saving a modified
        file. These backup files are created with default permissions,
        even if the original file had more strict permissions set.


3. Impact:

	Depending on the system security settings, backup files
        might be readable by other users.  Kate / Kwrite are
        network transparent applications and therefore this
        vulnerability might not be restricted to local users.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE up to including 3.4.0 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        50f7bc6d8cf4b7aaa65e4e8062fc46c9  post-3.4.0-kdelibs-kate.diff
Comment 1 Ludwig Nussel 2005-07-13 06:48:55 UTC 
public according to Dirk
Comment 2 Ludwig Nussel 2005-07-13 08:28:54 UTC 
CAN-2005-1920 
 
Are we affected or not?
Comment 3 Dirk Mueller 2005-07-13 09:00:09 UTC 
for i in */suse/i586/kdelibs3.rpm; do echo -n "$i: "; rpm -qp $i; done 
8.2-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.1.1-157 
9.0-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.1.4-61 
9.1-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
9.1-i686/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
9.2-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.3.0-34.8 
9.2-i686/suse/i586/kdelibs3.rpm: kdelibs3-3.3.0-34.8 
9.3-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.4.0-20.6 
9.3-i686/suse/i586/kdelibs3.rpm: kdelibs3-3.4.0-20.6 
next-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.4.1-5 
next-i686/suse/i586/kdelibs3.rpm: kdelibs3-3.4.1-5 
sles8-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.0.3-215 
sles8-slec-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.1.1-157 
sles9-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
sles9-i686/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
sles9-jds-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.52 
sles9-sld-beta-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.52 
sles9-sld-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
synctreetest/suse/i586/kdelibs3.rpm: kdelibs3-3.2.1-44.50.3 
ul1-i386/suse/i586/kdelibs3.rpm: kdelibs3-3.0.3-215 
 
so 9.1-9.3 and sles9 is affected for sure. about KDE 3.1.x and KDE 3.0.x I'm 
not sure, I think it is unaffected, but I need to find a system to test it 
first..
Comment 4 Dirk Mueller 2005-07-13 09:22:44 UTC 
KDE 3.0.x not affected..
Comment 5 Dirk Mueller 2005-07-13 09:53:01 UTC 
KDE repository digging showed that the vulnerable code was introdued 
2002-12-18, thats after 3.1.x branching, and the backports doesn't seem to 
include that. That would indicate that 3.1.x is not affected as well.
Comment 6 Dirk Mueller 2005-07-13 11:24:34 UTC 
STABLE not affected
Comment 7 Dirk Mueller 2005-07-13 19:16:56 UTC 
$ ls -1d /work/src/done/*/kdelibs3 
/work/src/done/9.1/kdelibs3 
/work/src/done/9.2/kdelibs3 
/work/src/done/9.3/kdelibs3 
/work/src/done/SLES9/kdelibs3
Comment 8 Marcus Meissner 2005-07-13 20:12:34 UTC 
there is a small problem with sles9-beta, since it has a newer kdelibs3 
 
will clear that tomorrow.
Comment 9 Dirk Mueller 2005-07-14 09:57:35 UTC 
fixed sles9-beta as well
Comment 10 Ludwig Nussel 2005-07-18 15:08:56 UTC 
SM-Tracker-1809
Comment 11 Michael Schröder 2005-07-25 11:59:10 UTC 
Ok if I remove 8.2/9.0 from kdelibs3.patch.box?
Comment 12 Dirk Mueller 2005-07-25 12:11:04 UTC 
yes, 8.2 and 9.0 are not affected by this bug.
Comment 13 Dirk Mueller 2005-07-27 12:15:48 UTC 
ping.. nothing happening..
Comment 14 Ludwig Nussel 2005-07-27 12:19:11 UTC 
it's in the qa queue
Comment 15 Ludwig Nussel 2005-08-01 09:18:26 UTC 
updates released
Comment 16 Thomas Biege 2009-10-13 21:32:43 UTC 
CVE-2005-1920: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)